The list shows three types of entries

• Pre-defined: Pushed via content update
• Shared: Custom shared entries created by admin
• Custom per VSYS: Custom entries specific to VSYS created by admin

Pre-defined entries can be modified, disabled or enabled per VSYS.

All the entries in a list must be unique: If a pre-defined entry matches an existing custom entry then custom entry takes precedence and remains unchanged

Entries in the list are compared against the SNI requested in Client Hello or CN/SAN names in the certificate

• If a match occurs with an enabled entry in the exclude list, then decryption for that web-site will be bypassed
• If no match occurs then the firewall will decrypt the traffic

It’s possible that the pre-defined, shared, VSYS lists have the same hostname. For example, they all have ‘*.icloud.com’ hostname with different status ‘enable’ or ‘disable’

The sequence for data plane to decide exclusion is: VSYS, shared, pre-defined

Manually adding an exclusion:

1. SSL Decryption Exclusion > Add Entry
2. Hostname: Common name of the certificate that needs to be excluded from decryption. It is Case Sensitive.
3. Description: A custom message
4. Check “Exclude” radio button

Commands available via CLI

• New exclude entries can be configured using:

# set shared ssl-decrypt ssl-exclude-cert  *.bankofamerica.com   *.bankofamerica.com  *.ycharts.com         *.ycharts.com  <value>               SSL Decryption Exclusion entry name

• Predefined entries can be enabled/disabled from using:

# set shared ssl-decrypt disabled-ssl-exclude-cert-from-predefined  [Start a list of values].

• Predefined Test command for testing a web-site against the exclude list on the firewall

test ssl-exclude-list
> predefined   Test hostname in predefined SSL Exclude list
> shared       Test hostname in shared SSL Exclude list
> vsys         Test hostname in vsys SSL Exclude list